Identifying and Safeguarding PII (Personally Identifiable Information)
by
Reading Time: 7 min
Who would want their personally identifiable information and sensitive data to be compromised and used by someone for fraudulent activities? But the sad reality is, this has now become common practice.
It was recently revealed that almost 50% of the data breaches between 2021 to 2023 were of the customers’ Personally Identifiable Information (PII), and 40% of that data was from employees. This data was recorded during a survey in Oct 2023.
PII isn’t very complicated, but it is still important to understand what it is and the importance of securing it. This guide contains all the answers to help you protect your PII and yourself.
What is PII (Personally Identifiable Information)?
PII, or Personally Identifiable Information, is information that is a significant part of your identity and can point directly at you.
Imagine it as a secret code that, on its own or when mixed with other information, can reveal your identity. So, it’s not just your name and address; it’s like the puzzle pieces that, when put together, create the full picture of “you.”
For example, suppose your name is John. There are many other people around the world having the same name due to which it cannot be considered PII. But what if we say your name is John Doe, and you live in Manhattan with a social security number AXY123? Now, it becomes a PII and can uniquely identify you from other Johns living in some other areas.
PII can be divided into non-sensitive and sensitive. We will be covering it next.
Non-Sensitive & Sensitive PII Information
The US Department of Defense provides a list of examples with respect to PII. From social security numbers to personal addresses, all of these can fall under personally identifiable information.
Let’s take a look at the two distinctive categories of PII:
Sensitive PII
Sensitive PII is information that can single out an individual very easily. This type of PII can be damaging to the individual it belongs to if it is retrieved by a cybercriminal.
Examples of Sensitive Personally Identifiable Information
- Social Security Number (SSN)
- Driver’s license
- Mailing address
- Credit card information
- Passport information
- Financial information
- Medical records
Non-sensitive PII
Any information, such as a maiden name, which can identify a person but cannot be used to harm them is defined as Non-sensitive PII.
Examples of Non-Sensitive Personally Identifiable Information
- First Name
- Zip code
- Race
- Gender
- Date of birth
- Place of birth
- Religion
If you or any business wants to collect PII, they’ll have to use online forms, surveys, and social media with preferably a non-disclosure agreement attached. Make sure that whenever you’re providing your PII to someone, check if they have a proper plan in place for using, storing, and protecting the information.
Why is PII Important?
PII is critical because it protects your data. Any businesses or organizations that have your PII are legally obligated to safeguard it at all costs. It provides a guarantee of the safety and security of your personal information.
Businesses can use your information for multiple purposes, like:
- Targeted advertising
- Fraud prevention
- Law enforcement
- Credit scoring
- Employment screening
How can PII be Stolen?
Attacks such as social engineering using a spoofed domain name or email can trick people into revealing PII. It is also possible for private information to be leaked via instances of a hacked email account, data breaches, etc.
Here are some common ways using which PII can be stolen:
- Phishing emails: Fake emails luring victims to disclose their PII
- Data breaches: Attackers exploit system vulnerabilities to breach sensitive databases
- Dumpster diving: Retrieving deleted documents from trash that contain PII
- Social engineering: Manipulating unsuspecting victims into sharing personal information
- Malware: Malicious software that infiltrates files containing PII on your computer
- Insider threats: Your own employees disclosing PII for malicious intent or money
- Cyber Eavesdropping: eavesdropping on online communications to steal PII
- Hacked email accounts: Gaining access to email accounts to read chats containing PII
- Man-in-the-middle attacks: Attacker intercepting online communications to steal PII
- Brute-force attacks: Gaining unauthorized access to accounts by using brute force like constant retrials, and then stealing PII
Methods to Safeguard PII
Various countries have adopted multiple data protection laws to create guidelines for companies that gather, store, and share clients’ personal information. Let’s look at the ways in which you can safeguard your PII.
- Use strong passwords wherever necessary.
- Be cautious about the details that you share online.
- Routinely monitor your credit reports for signs of fraud.
If you’re a business owner, you should consider the below-mentioned steps:
- Only collect the PII that is necessary to provide a specific service.
- The encryption used in businesses should be robust to prevent their employees’ and customers’ PII from unauthorized access.
- Access to PII should be limited to only those employees who need it to perform their duties.
- A training session should be held to train employees on how to protect PII.
- Always keep a close eye on any security breaches that might happen suddenly.
- There should be a data breach response plan so it can be used quickly to respond to a data breach and minimize the damage.
The US Department of Homeland Security has also published an insightful document defining how to protect and share your PII safely.
Importance of Protecting PII from Data Breaches
A data breach occurs when someone who has no authorization from the company accesses computer systems, potentially leading to the acquisition of sensitive information.
While researching, we found a study that showed over 6 million records were breached worldwide in 2023. It is one of the most concerning factors for company leaders.
These data breaches may occur due to various reasons, like:
- Malware
- Hacking
- Human errors
Businesses can follow the practices mentioned below to protect their data from breaches:
- Implementing appropriate security measures.
- Educating their employees on the best practices within the cybersecurity world.
- Have a response and remediation plan in place if data breaches do suddenly occur.
PII Laws & Regulations
PII is regulated by many laws and regulations. These ensure that individuals’ privacy is safe and they don’t have to worry about threats like impersonation. Some of these federal laws are:
1. Privacy Act of 1974
The Privacy Act of 1974 lays down the rules for federal agents when it comes to collecting, using, and spilling the beans on PII. This act also makes it a must for federal agencies to let people know if they can disclose their PII, and there are penalties waiting if one fails to do so. However, there are certain special cases and exceptions to this.
2. Health Insurance Portability and Accountability Act
Then there’s HIPAA, the Health Insurance Portability and Accountability Act, the superhero for health records. It demands that healthcare institutions and providers must keep patient information under wraps, and not disclose their health records without consent.
3. Freedom of Information Act
And don’t forget the FOIA, the Freedom of Information Act. It’s the golden ticket for people wanting to dig into government files. It tells federal agencies, “Show your cards unless it’s super secretive.” So, basically, it’s the public’s backstage pass to government info! However, the FOIA also acts as a protector of PII by asking law enforcement agencies to withhold information that can be personally identifiable or damaging.
4. General Data Protection Regulation (GDPR)
In 1995, there was a Data Protection Directive, but later, GDPR took over to safeguard personal information. Now, any company dealing with the personal data of EU citizens, whether they’re based in the EU or elsewhere (yes, even the US!), has to follow the same set of rules.
Non-compliance may result in hefty fines – 4% of your global annual revenue or €20 million, whichever is more painful – for the violation of certain provisions. Plus, individuals have the right to complain if they think their GDPR rights were violated.
Remember, GDPR is the global sheriff for data privacy, making sure companies don’t play fast and loose with people’s personal information. It’s the guardian of your data, keeping the digital world in check.
How Can Businesses Protect their Customers’ Data?
For businesses looking to up their security game, consider these handy tips:
- Implement Network Segmentation: Think of it like building walls within your digital kingdom. If one area gets breached, the others can stay strong. It’s like having secret compartments in your data vault.
- Enforce Security Policies and Procedures: Set the rules and make sure everyone plays by them. It’s like having a security handbook – everyone knows what’s allowed and what’s a big no-no.
- Frequently Back Up the Data: Imagine your data as treasure and backups as a secret stash. If the pirates come (aka data breaches), you still have your secret stash to fall back on.
- Establish a Comprehensive Response Plan for Data Breaches: Plan out every move – from spotting trouble to fixing it.
Impact of Identity Theft and Misuse of PII
Identity theft is no joke – it can bring serious financial headaches. Imagine someone impersonating you and going on a shopping spree or taking out loans in your name without asking – or worse, carrying out illegal activities!
Identity theft and stolen PII can lead to:
- Severe financial damages
- Emotional distress and anxiety
- Legal turmoil for crimes committed in your name
- Loss of credibility and reputation in the industry
- Loss of customer trust
Final Words
A popular vector for retrieving PII is phishing emails impersonating or spoofing your domain name. We recommend setting up a DMARC for your emails and domains to remain safe from this. And there is no better way to configure and monitor your implementation safely than PowerDMARC! We are a team of domain security experts who specialize in helping you minimize email fraud through authentication. Get in touch today for a free DMARC trial!
Remember to share as little personal information as you can on the internet! Stay safe and stay vigilant online.
Domain & Email Security Expert at PowerDMARC
Ahona is the Marketing Manager at PowerDMARC, with 5+ years of experience in writing about cybersecurity topics, specializing in domain and email security. Ahona holds a post-graduation degree in Journalism and Communications, solidifying her career in the security sector since 2019.
Latest posts by Ahona Rudra (see all)
- DMARC MSP Case Study: CloudTech24 Simplies Domain Security Management for Clients with PowerDMARC - October 24, 2024
- The Security Risks Of Sending Sensitive Information Via Email - October 23, 2024
- 5 Types of Social Security Email Scams & How to Prevent Them - October 3, 2024
